nexo-brain 6.3.0 → 6.4.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "6.3.0",
+  "version": "6.4.0",
   "description": "Local cognitive runtime for Claude Code \u2014 persistent memory, overnight learning, doctor diagnostics, personal scripts, recovery-aware jobs, startup preflight, and optional dashboard/power helper.",
   "author": {
     "name": "NEXO Brain",

package/README.md

@@ -18,7 +18,11 @@
 
 [Watch the overview video](https://nexo-brain.com/watch/) · [Watch on YouTube](https://www.youtube.com/watch?v=i2lkGhKyVqI) · [Open the infographic](https://nexo-brain.com/assets/nexo-brain-infographic-v5.png)
 
-Version `6.3.0` is the current packaged-runtime line — Plan Consolidado wave 2, coordinated with NEXO Desktop v0.18.0. Closes the remaining Guardian roadmap items that do not require an invasive structure migration: extended `cognitive_sentiment` shape (is_correction/valence/intent), extended `entities` schema, 21 labelled rule fixtures with R13 spike gates, Fase F telemetry loops + Deep Sleep phase, pinned local zero-shot classifier skeleton (mDeBERTa), hook respects `NEXO_MIGRATING=1`, `origin` column on `personal_scripts`, and the T4 LLM gate wrapping R15/R23e/R23f/R23h (byte-parity Py ↔ JS). Two pre-release auditors flagged a CRITICAL in the first JS wire (method-name + async mismatch) and a HIGH (classifier bool conflated "no" with "unparseable"); both corrected with regression tests before merge.
+Version `6.4.0` is the current packaged-runtime line — Plan Consolidado fase F1: multi-tenant email accounts (`email_accounts` table, `nexo email setup` interactive wizard, `nexo email add --password-stdin --json` for the Desktop bridge, idempotent migrator from legacy `~/.nexo/nexo-email/config.json`). The matching NEXO Desktop release (v0.19.0) ships the Email + Automations Settings panels so non-technical operators never have to touch a config file. See [CHANGELOG](CHANGELOG.md) for the full diff.
+
+Previously in `6.3.1`: privacy hotfix over v6.3.0. The nightly auditor caught that `src/presets/entities_universal.json` in v6.3.0 shipped operator-specific `vhost_mapping` entries (private IPs, hostnames, tenant names). v6.3.1 pulls those out into `src/presets/entities_local.sample.json` (template) + `.gitignore`'d `~/.nexo/brain/presets/entities_local.json` (operator copy), and the installer drops the sample at `nexo init`. No behaviour change on the Guardian side.
+
+Previously in `6.3.0` — Plan Consolidado wave 2, coordinated with NEXO Desktop v0.18.0. Closes the remaining Guardian roadmap items that do not require an invasive structure migration: extended `cognitive_sentiment` shape (is_correction/valence/intent), extended `entities` schema, 21 labelled rule fixtures with R13 spike gates, Fase F telemetry loops + Deep Sleep phase, pinned local zero-shot classifier skeleton (mDeBERTa), hook respects `NEXO_MIGRATING=1`, `origin` column on `personal_scripts`, and the T4 LLM gate wrapping R15/R23e/R23f/R23h (byte-parity Py ↔ JS). Two pre-release auditors flagged a CRITICAL in the first JS wire (method-name + async mismatch) and a HIGH (classifier bool conflated "no" with "unparseable"); both corrected with regression tests before merge.
 
 Previously in `6.1.1`: small fix to `nexo --help` so the `Latest: vX` line reliably appears when NEXO Desktop invokes the CLI via subprocess — unblocks the Desktop Brain auto-update banner that previously couldn't parse the version delta. No behaviour change for interactive terminal users; the 6-hour registry cache still rate-limits network calls. Bundles all v6.1.0 Protocol Enforcer Fase 2 + multi-claude-sid hotfix content.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexo-brain",
-  "version": "6.3.0",
+  "version": "6.4.0",
   "mcpName": "io.github.wazionapps/nexo",
   "description": "NEXO Brain \u2014 Shared brain for AI agents. Persistent memory, semantic RAG, natural forgetting, metacognitive guard, trust scoring, 150+ MCP tools. Works with Claude Code, Codex, Claude Desktop & any MCP client. 100% local, free.",
   "homepage": "https://nexo-brain.com",

package/src/auto_update.py

@@ -1519,12 +1519,56 @@ def _run_db_migrations() -> bool:
         applied = run_migrations(conn)
         if applied > 0:
             _log(f"Applied {applied} DB migration(s)")
+        # Plan Consolidado F1 — one-shot legacy email config migration.
+        # After m46 adds the table, operators installed pre-v6.4.0 still
+        # keep their data inside ~/.nexo/nexo-email/config.json. If the
+        # table is empty and the JSON exists, port the primary account
+        # over automatically so scripts pick up the new source on the
+        # next cron without the operator running anything manually.
+        _maybe_migrate_legacy_email_config()
         return True
     except Exception as e:
         _log(f"DB migration error: {e}")
         return False
 
 
+def _maybe_migrate_legacy_email_config() -> None:
+    """F1 auto-migrator — idempotent. Runs the helper script the first
+    time after v6.4.0 lands on an existing runtime."""
+    try:
+        from db._email_accounts import get_email_account
+    except Exception:
+        return  # m46 not applied yet (older runtime), nothing to do
+    try:
+        legacy = NEXO_HOME / "nexo-email" / "config.json"
+        if not legacy.exists():
+            return
+        if get_email_account("primary"):
+            return  # already migrated
+        import subprocess as _sp
+        script = Path(__file__).resolve().parent / "scripts" / "nexo-email-migrate-config.py"
+        if not script.exists():
+            return
+        _log("F1: migrating legacy email config.json → email_accounts table")
+        env = {**os.environ, "PYTHONPATH": str(Path(__file__).resolve().parent)}
+        r = _sp.run(
+            [sys.executable, str(script)],
+            env=env,
+            capture_output=True,
+            text=True,
+            timeout=30,
+        )
+        if r.returncode == 0:
+            line = (r.stdout.strip().splitlines() or ["ok"])[-1]
+            _log(f"F1 email migration: {line}")
+        else:
+            _log(f"F1 email migration FAILED (rc={r.returncode}): {r.stderr.strip()[:200]}")
+    except _sp.TimeoutExpired:
+        _log("F1 email migration timed out after 30s")
+    except Exception as exc:
+        _log(f"F1 email migration skipped: {exc}")
+
+
 # ── npm version check (notify only) ─────────────────────────────────
 
 def _check_npm_version() -> str | None:

package/src/cli.py

@@ -2046,6 +2046,13 @@ def main():
     parser.add_argument("-v", "--version", action="store_true", help="Show version")
     sub = parser.add_subparsers(dest="command")
 
+    # -- email (Plan F1 — interactive wizard for email accounts) --
+    try:
+        from cli_email import register_email_parser
+        register_email_parser(sub)
+    except Exception as _exc_email:  # pragma: no cover
+        pass
+
     # -- chat --
     chat_parser = sub.add_parser("chat", help="Launch a NEXO terminal client")
     chat_parser.add_argument("path", nargs="?", default=".", help="Working directory (default: current directory)")
@@ -2354,6 +2361,14 @@ def main():
         print(f"nexo v{_get_version()}")
         return 0
 
+    if args.command == "email":
+        # Plan F1 — setup / list / test / remove cuentas email.
+        fn = getattr(args, "func", None)
+        if fn is None:
+            print("usage: nexo email {setup,list,test,remove}")
+            return 1
+        return int(fn(args) or 0)
+
     if args.command == "scripts":
         if args.scripts_command == "list":
             return _scripts_list(args)

package/src/cli_email.py

@@ -0,0 +1,492 @@
+"""Plan Consolidado F1 — `nexo email` subcommands.
+
+Two consumers, one CLI:
+
+1. Operators on a terminal — friendly interactive wizard with prompts,
+   confirmations, and green checks / red errors.
+2. NEXO Desktop renderer (Plan F1 panel) — every command also accepts
+   `--json` for machine-readable I/O and a `--password-stdin` flag to
+   accept secrets without leaking them on argv.
+
+Subcommands:
+    nexo email setup                interactive wizard (primary account)
+    nexo email add ...              non-interactive (Desktop / scripts)
+    nexo email list [--json]        show all accounts, masked password
+    nexo email test <label> [--json]   IMAP + SMTP connectivity probe
+    nexo email remove <label> [--yes] [--json]  remove account + cred
+"""
+
+from __future__ import annotations
+
+import getpass
+import json
+import sys
+import time
+from typing import Any
+
+
+def _prompt(msg: str, default: str = "") -> str:
+    suffix = f" [{default}]" if default else ""
+    try:
+        raw = input(f"{msg}{suffix}: ")
+    except (EOFError, KeyboardInterrupt):
+        print("\n(cancelled)")
+        sys.exit(1)
+    return raw.strip() or default
+
+
+def _prompt_int(msg: str, default: int) -> int:
+    while True:
+        raw = _prompt(msg, str(default))
+        try:
+            return int(raw)
+        except ValueError:
+            print(f"  ✗ '{raw}' no es un número. Prueba otra vez.")
+
+
+def _prompt_yes_no(msg: str, default: bool = True) -> bool:
+    d = "Y/n" if default else "y/N"
+    while True:
+        raw = _prompt(f"{msg} [{d}]").lower()
+        if not raw:
+            return default
+        if raw in ("y", "yes", "s", "si", "sí"):
+            return True
+        if raw in ("n", "no"):
+            return False
+        print("  ✗ Responde y o n.")
+
+
+def _mask_password(pw: str) -> str:
+    if not pw:
+        return "(vacío)"
+    if len(pw) <= 4:
+        return "•" * len(pw)
+    return pw[0] + "•" * (len(pw) - 2) + pw[-1]
+
+
+def _store_credential(service: str, key: str, value: str) -> None:
+    """Write password to the `credentials` table (simple cleartext by
+    default — upgrading to keychain is a v7 follow-up). Never echo the
+    password back to stdout."""
+    from db._core import get_db
+    conn = get_db()
+    now = time.time()
+    conn.execute(
+        """
+        INSERT INTO credentials (service, key, value, notes, created_at, updated_at)
+        VALUES (?, ?, ?, 'email account password (nexo email setup)', ?, ?)
+        ON CONFLICT(service, key) DO UPDATE SET
+            value = excluded.value,
+            updated_at = excluded.updated_at
+        """,
+        (service, key, value, now, now),
+    )
+    conn.commit()
+
+
+def _delete_credential(service: str, key: str) -> None:
+    from db._core import get_db
+    conn = get_db()
+    conn.execute("DELETE FROM credentials WHERE service = ? AND key = ?", (service, key))
+    conn.commit()
+
+
+def cmd_email_setup(args) -> int:
+    """Interactive wizard. Fresh install: operator runs this once."""
+    print("━" * 60)
+    print("NEXO · Asistente de configuración de email")
+    print("━" * 60)
+    print("Te voy a preguntar los datos de la cuenta de correo que")
+    print("NEXO usará para leer y contestar. Si te equivocas, vuelve")
+    print("a ejecutar `nexo email setup` en cualquier momento.\n")
+
+    from db import init_db
+    from db._email_accounts import add_email_account, get_email_account
+
+    init_db()
+
+    label = _prompt("Etiqueta de la cuenta (ej: 'primary', 'wazion')", "primary")
+
+    existing = get_email_account(label)
+    if existing:
+        if not _prompt_yes_no(
+            f"Ya existe una cuenta '{label}' ({existing.get('email')}). ¿La sobrescribo?",
+            default=False,
+        ):
+            print("Cancelado.")
+            return 1
+
+    email = _prompt("Dirección email (ej: nexo@tudominio.com)")
+    if not email or "@" not in email:
+        print(f"  ✗ '{email}' no parece un email válido.")
+        return 1
+
+    imap_host = _prompt("Servidor IMAP (entrada)", "imap.gmail.com")
+    imap_port = _prompt_int("Puerto IMAP", 993)
+    smtp_host = _prompt("Servidor SMTP (salida)", imap_host.replace("imap", "smtp"))
+    smtp_port = _prompt_int("Puerto SMTP", 465)
+
+    try:
+        pwd = getpass.getpass("Contraseña (no se mostrará): ")
+    except (EOFError, KeyboardInterrupt):
+        print("\n(cancelado)")
+        return 1
+    if not pwd:
+        print("  ✗ Necesito una contraseña.")
+        return 1
+
+    operator_email = _prompt(
+        "Email donde NEXO te enviará el briefing matinal (tu email personal)",
+        email,
+    )
+
+    trusted_raw = _prompt(
+        "Dominios de confianza separados por coma (puedes dejar vacío)",
+        "",
+    )
+    trusted = [d.strip() for d in trusted_raw.split(",") if d.strip()]
+
+    role = _prompt(
+        "Rol de la cuenta: inbox (solo leer) / outbox (solo enviar) / both",
+        "both",
+    )
+    if role not in ("inbox", "outbox", "both"):
+        role = "both"
+
+    cred_service = "email"
+    cred_key = label
+    _store_credential(cred_service, cred_key, pwd)
+
+    account = add_email_account(
+        label=label,
+        email=email,
+        imap_host=imap_host,
+        imap_port=imap_port,
+        smtp_host=smtp_host,
+        smtp_port=smtp_port,
+        credential_service=cred_service,
+        credential_key=cred_key,
+        operator_email=operator_email,
+        trusted_domains=trusted,
+        role=role,
+    )
+
+    print()
+    print("✓ Cuenta guardada:")
+    print(f"  label:          {account.get('label')}")
+    print(f"  email:          {account.get('email')}")
+    print(f"  IMAP:           {account.get('imap_host')}:{account.get('imap_port')}")
+    print(f"  SMTP:           {account.get('smtp_host')}:{account.get('smtp_port')}")
+    print(f"  operator_email: {account.get('operator_email')}")
+    print(f"  trusted:        {account.get('trusted_domains') or '(ninguno)'}")
+    print(f"  role:           {account.get('role')}")
+    print(f"  password:       {_mask_password(pwd)} (guardada en credentials)")
+    print()
+    if _prompt_yes_no("¿Pruebo la conexión ahora?", default=True):
+        return cmd_email_test(type("Args", (), {"label": label})())
+    print("Puedes probarla cuando quieras con: nexo email test " + label)
+    return 0
+
+
+def _emit_json(payload: dict) -> None:
+    """Print a JSON payload on stdout. Used so machine consumers
+    (NEXO Desktop renderer) can parse cleanly; the human path keeps
+    its rich text output."""
+    print(json.dumps(payload, ensure_ascii=False))
+
+
+def _account_to_public_dict(account: dict) -> dict:
+    """Return the operator-safe view of an email account row.
+    NEVER includes the password; only flags whether a credential is
+    stored so the UI can show a 'no password yet' marker."""
+    if not account:
+        return {}
+    return {
+        "label": account.get("label"),
+        "email": account.get("email"),
+        "imap_host": account.get("imap_host"),
+        "imap_port": account.get("imap_port"),
+        "smtp_host": account.get("smtp_host"),
+        "smtp_port": account.get("smtp_port"),
+        "operator_email": account.get("operator_email"),
+        "trusted_domains": account.get("trusted_domains") or [],
+        "role": account.get("role", "both"),
+        "enabled": bool(account.get("enabled", True)),
+        "has_credential": bool(account.get("credential_service")
+                               and account.get("credential_key")),
+    }
+
+
+def cmd_email_list(args) -> int:
+    from db import init_db
+    from db._email_accounts import list_email_accounts
+
+    init_db()
+    accounts = list_email_accounts(include_disabled=True)
+    if getattr(args, "json", False):
+        _emit_json({
+            "ok": True,
+            "accounts": [_account_to_public_dict(a) for a in accounts],
+        })
+        return 0
+    if not accounts:
+        print("(sin cuentas configuradas — corre `nexo email setup`)")
+        return 0
+    print(f"{'LABEL':<16} {'EMAIL':<40} {'ROLE':<8} {'ENABLED':<8} IMAP")
+    for a in accounts:
+        print(
+            f"{a.get('label',''):<16} {a.get('email',''):<40} "
+            f"{a.get('role',''):<8} "
+            f"{'✓' if a.get('enabled') else '✗':<8} "
+            f"{a.get('imap_host','')}:{a.get('imap_port','')}"
+        )
+    return 0
+
+
+def cmd_email_add(args) -> int:
+    """Non-interactive add. Used by the Desktop email panel and any
+    script. Password is read from stdin when ``--password-stdin`` is
+    set (so it never appears on argv / ps output)."""
+    json_mode = getattr(args, "json", False)
+    label = (getattr(args, "label", None) or "").strip()
+    email = (getattr(args, "email", None) or "").strip()
+    imap_host = (getattr(args, "imap_host", None) or "").strip()
+    smtp_host = (getattr(args, "smtp_host", None) or "").strip()
+    if not (label and email and imap_host and smtp_host):
+        msg = "missing required field (--label, --email, --imap-host, --smtp-host)"
+        if json_mode:
+            _emit_json({"ok": False, "message": msg})
+        else:
+            print(f"✗ {msg}")
+        return 1
+    if "@" not in email:
+        msg = f"'{email}' no parece un email válido."
+        if json_mode:
+            _emit_json({"ok": False, "message": msg})
+        else:
+            print(f"✗ {msg}")
+        return 1
+    imap_port = int(getattr(args, "imap_port", None) or 993)
+    smtp_port = int(getattr(args, "smtp_port", None) or 465)
+    role = (getattr(args, "role", None) or "both").strip()
+    if role not in ("inbox", "outbox", "both"):
+        role = "both"
+    operator_email = (getattr(args, "operator", None) or "").strip()
+    trusted_raw = (getattr(args, "trusted_domains", None) or "").strip()
+    trusted = [d.strip() for d in trusted_raw.split(",") if d.strip()] if trusted_raw else []
+
+    if getattr(args, "password_stdin", False):
+        try:
+            pwd = sys.stdin.read()
+        except Exception as exc:
+            msg = f"could not read password from stdin: {exc}"
+            if json_mode:
+                _emit_json({"ok": False, "message": msg})
+            else:
+                print(f"✗ {msg}")
+            return 1
+        # Trim a single trailing newline so the operator can pipe with `echo`,
+        # but preserve internal whitespace / leading spaces (rare but legal).
+        if pwd.endswith("\n"):
+            pwd = pwd[:-1]
+        if pwd.endswith("\r"):
+            pwd = pwd[:-1]
+    else:
+        pwd = getattr(args, "password", None) or ""
+    if not pwd:
+        msg = "missing password (use --password-stdin or --password)"
+        if json_mode:
+            _emit_json({"ok": False, "message": msg})
+        else:
+            print(f"✗ {msg}")
+        return 1
+
+    from db import init_db
+    from db._email_accounts import add_email_account
+
+    init_db()
+    cred_service = "email"
+    cred_key = label
+    _store_credential(cred_service, cred_key, pwd)
+    account = add_email_account(
+        label=label,
+        email=email,
+        imap_host=imap_host,
+        imap_port=imap_port,
+        smtp_host=smtp_host,
+        smtp_port=smtp_port,
+        credential_service=cred_service,
+        credential_key=cred_key,
+        operator_email=operator_email,
+        trusted_domains=trusted,
+        role=role,
+    )
+    public = _account_to_public_dict(account)
+    if json_mode:
+        _emit_json({"ok": True, "account": public})
+    else:
+        print(f"✓ Cuenta '{label}' guardada.")
+    return 0
+
+
+def cmd_email_test(args) -> int:
+    json_mode = getattr(args, "json", False)
+    # Keep the legacy positional + the new --label flag both wired.
+    label = getattr(args, "label", None) or getattr(args, "label_pos", None)
+    if not label:
+        msg = "usage: nexo email test <label>"
+        if json_mode:
+            _emit_json({"ok": False, "message": msg})
+        else:
+            print(msg)
+        return 1
+    from db import init_db
+    from email_config import load_email_config
+
+    init_db()
+    cfg = load_email_config(label=label)
+    if cfg is None:
+        msg = f"Cuenta '{label}' no encontrada."
+        if json_mode:
+            _emit_json({"ok": False, "message": msg})
+        else:
+            print(f"✗ {msg}")
+        return 1
+
+    ok_imap = False
+    err_imap = ""
+    ok_smtp = False
+    err_smtp = ""
+    try:
+        import imaplib
+        imap = imaplib.IMAP4_SSL(cfg["imap_host"], cfg["imap_port"])
+        imap.login(cfg["email"], cfg["password"])
+        imap.logout()
+        ok_imap = True
+    except Exception as exc:
+        err_imap = str(exc)
+
+    try:
+        import smtplib
+        smtp = smtplib.SMTP_SSL(cfg["smtp_host"], cfg["smtp_port"], timeout=15)
+        smtp.login(cfg["email"], cfg["password"])
+        smtp.quit()
+        ok_smtp = True
+    except Exception as exc:
+        err_smtp = str(exc)
+
+    if json_mode:
+        _emit_json({
+            "ok": ok_imap and ok_smtp,
+            "label": label,
+            "imap": {"ok": ok_imap, "host": cfg["imap_host"], "port": cfg["imap_port"], "error": err_imap},
+            "smtp": {"ok": ok_smtp, "host": cfg["smtp_host"], "port": cfg["smtp_port"], "error": err_smtp},
+            "message": "Login OK" if (ok_imap and ok_smtp) else (err_imap or err_smtp or "test failed"),
+        })
+    else:
+        if ok_imap:
+            print(f"✓ IMAP {cfg['imap_host']}:{cfg['imap_port']} login OK")
+        else:
+            print(f"✗ IMAP {cfg['imap_host']}:{cfg['imap_port']} FAILED: {err_imap}")
+        if ok_smtp:
+            print(f"✓ SMTP {cfg['smtp_host']}:{cfg['smtp_port']} login OK")
+        else:
+            print(f"✗ SMTP {cfg['smtp_host']}:{cfg['smtp_port']} FAILED: {err_smtp}")
+    return 0 if (ok_imap and ok_smtp) else 1
+
+
+def cmd_email_remove(args) -> int:
+    json_mode = getattr(args, "json", False)
+    label = getattr(args, "label", None) or getattr(args, "label_pos", None)
+    if not label:
+        msg = "usage: nexo email remove <label>"
+        if json_mode:
+            _emit_json({"ok": False, "message": msg})
+        else:
+            print(msg)
+        return 1
+    from db import init_db
+    from db._email_accounts import get_email_account, remove_email_account
+
+    init_db()
+    acc = get_email_account(label)
+    if not acc:
+        msg = f"Cuenta '{label}' no encontrada."
+        if json_mode:
+            _emit_json({"ok": False, "message": msg})
+        else:
+            print(f"✗ {msg}")
+        return 1
+    if not getattr(args, "yes", False):
+        if json_mode:
+            _emit_json({"ok": False, "message": "missing --yes (interactive confirmation required)"})
+            return 1
+        if not _prompt_yes_no(f"¿Eliminar la cuenta '{label}' ({acc.get('email')})?", default=False):
+            print("Cancelado.")
+            return 0
+    _delete_credential(acc.get("credential_service", ""), acc.get("credential_key", ""))
+    remove_email_account(label)
+    if json_mode:
+        _emit_json({"ok": True, "label": label, "message": "removed"})
+    else:
+        print(f"✓ Cuenta '{label}' eliminada.")
+    return 0
+
+
+def register_email_parser(subparsers) -> None:
+    """Hook called by cli.py to add the `email` subcommand tree."""
+    p = subparsers.add_parser("email", help="Gestionar cuentas de correo NEXO")
+    p.set_defaults(func=lambda a: p.print_help() or 0)
+    sub = p.add_subparsers(dest="email_action")
+
+    s = sub.add_parser("setup", help="Asistente interactivo para añadir / reconfigurar una cuenta")
+    s.set_defaults(func=cmd_email_setup)
+
+    s = sub.add_parser("add", help="Añadir cuenta de forma no-interactiva (Desktop / scripts)")
+    s.add_argument("--label", required=True)
+    s.add_argument("--email", required=True)
+    s.add_argument("--imap-host", dest="imap_host", required=True)
+    s.add_argument("--imap-port", dest="imap_port", type=int, default=993)
+    s.add_argument("--smtp-host", dest="smtp_host", required=True)
+    s.add_argument("--smtp-port", dest="smtp_port", type=int, default=465)
+    s.add_argument("--operator", dest="operator", default="")
+    s.add_argument("--trusted-domains", dest="trusted_domains", default="")
+    s.add_argument("--role", dest="role", default="both", choices=["inbox", "outbox", "both"])
+    pwd_group = s.add_mutually_exclusive_group()
+    pwd_group.add_argument("--password", dest="password",
+                           help="Password on argv (NOT recommended; visible to ps).")
+    pwd_group.add_argument("--password-stdin", dest="password_stdin", action="store_true",
+                           help="Read password from stdin (recommended).")
+    s.add_argument("--json", dest="json", action="store_true")
+    s.set_defaults(func=cmd_email_add)
+
+    s = sub.add_parser("list", help="Listar cuentas configuradas")
+    s.add_argument("--json", dest="json", action="store_true")
+    s.set_defaults(func=cmd_email_list)
+
+    s = sub.add_parser("test", help="Probar IMAP + SMTP de una cuenta")
+    s.add_argument("label_pos", nargs="?", default=None,
+                   help="Etiqueta de la cuenta (legacy positional)")
+    s.add_argument("--label", dest="label", default=None)
+    s.add_argument("--json", dest="json", action="store_true")
+    s.set_defaults(func=cmd_email_test)
+
+    s = sub.add_parser("remove", help="Eliminar una cuenta")
+    s.add_argument("label_pos", nargs="?", default=None,
+                   help="Etiqueta de la cuenta (legacy positional)")
+    s.add_argument("--label", dest="label", default=None)
+    s.add_argument("--yes", dest="yes", action="store_true",
+                   help="Skip the interactive confirmation (required for --json).")
+    s.add_argument("--json", dest="json", action="store_true")
+    s.set_defaults(func=cmd_email_remove)
+
+
+__all__ = [
+    "cmd_email_setup",
+    "cmd_email_add",
+    "cmd_email_list",
+    "cmd_email_test",
+    "cmd_email_remove",
+    "register_email_parser",
+]

package/src/db/_email_accounts.py

@@ -0,0 +1,170 @@
+"""Plan Consolidado F1 — email_accounts CRUD.
+
+First-class multi-account email config. Replaces the legacy flat JSON
+at ~/.nexo/nexo-email/config.json (single tenant, password cleartext,
+operator-specific fields) with a structured table. Credentials never
+land in this row — they live in the `credentials` table referenced by
+`credential_service` + `credential_key`.
+"""
+
+from __future__ import annotations
+
+import json
+import time
+from typing import Any
+
+from db._core import get_db
+
+
+DEFAULT_IMAP_PORT = 993
+DEFAULT_SMTP_PORT = 465
+VALID_ROLES = ("inbox", "outbox", "both")
+
+
+def _row_to_dict(row) -> dict:
+    if row is None:
+        return {}
+    d = dict(row)
+    try:
+        d["trusted_domains"] = json.loads(d.get("trusted_domains") or "[]") or []
+    except Exception:
+        d["trusted_domains"] = []
+    try:
+        d["metadata"] = json.loads(d.get("metadata") or "{}") or {}
+    except Exception:
+        d["metadata"] = {}
+    d["enabled"] = bool(d.get("enabled", 1))
+    return d
+
+
+def add_email_account(
+    *,
+    label: str,
+    email: str,
+    imap_host: str = "",
+    imap_port: int = DEFAULT_IMAP_PORT,
+    smtp_host: str = "",
+    smtp_port: int = DEFAULT_SMTP_PORT,
+    credential_service: str = "",
+    credential_key: str = "",
+    operator_email: str = "",
+    trusted_domains: list[str] | None = None,
+    role: str = "both",
+    enabled: bool = True,
+    metadata: dict | None = None,
+) -> dict:
+    if not label or not email:
+        raise ValueError("label and email are required")
+    if role not in VALID_ROLES:
+        raise ValueError(f"role must be one of {VALID_ROLES}, got {role!r}")
+    conn = get_db()
+    now = time.strftime("%Y-%m-%d %H:%M:%S")
+    # Audit H2: when the caller does not pass `metadata` explicitly,
+    # an upsert would otherwise wipe whatever the operator (or another
+    # subsystem like auto_capture / poll-tuning) had previously stored
+    # on this label. Preserve the existing metadata in that case so
+    # the only way to clear it is `metadata={}` explicit.
+    if metadata is None:
+        existing = get_email_account(label) or {}
+        metadata = existing.get("metadata") if existing.get("metadata") else {}
+    conn.execute(
+        """
+        INSERT INTO email_accounts (
+            label, email, imap_host, imap_port, smtp_host, smtp_port,
+            credential_service, credential_key, operator_email,
+            trusted_domains, role, enabled, metadata, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+        ON CONFLICT(label) DO UPDATE SET
+            email = excluded.email,
+            imap_host = excluded.imap_host,
+            imap_port = excluded.imap_port,
+            smtp_host = excluded.smtp_host,
+            smtp_port = excluded.smtp_port,
+            credential_service = excluded.credential_service,
+            credential_key = excluded.credential_key,
+            operator_email = excluded.operator_email,
+            trusted_domains = excluded.trusted_domains,
+            role = excluded.role,
+            enabled = excluded.enabled,
+            metadata = excluded.metadata,
+            updated_at = excluded.updated_at
+        """,
+        (
+            label,
+            email,
+            imap_host,
+            int(imap_port),
+            smtp_host,
+            int(smtp_port),
+            credential_service,
+            credential_key,
+            operator_email,
+            json.dumps(trusted_domains or [], ensure_ascii=False),
+            role,
+            1 if enabled else 0,
+            json.dumps(metadata or {}, ensure_ascii=False),
+            now,
+            now,
+        ),
+    )
+    conn.commit()
+    return get_email_account(label) or {}
+
+
+def list_email_accounts(include_disabled: bool = True) -> list[dict]:
+    conn = get_db()
+    where = "" if include_disabled else "WHERE enabled = 1"
+    rows = conn.execute(
+        f"SELECT * FROM email_accounts {where} ORDER BY label COLLATE NOCASE"
+    ).fetchall()
+    return [_row_to_dict(r) for r in rows]
+
+
+def get_email_account(label: str) -> dict | None:
+    conn = get_db()
+    row = conn.execute(
+        "SELECT * FROM email_accounts WHERE label = ?",
+        (label,),
+    ).fetchone()
+    return _row_to_dict(row) if row else None
+
+
+def get_primary_email_account() -> dict | None:
+    """Most-recently-updated enabled account. Returns None if table empty."""
+    conn = get_db()
+    row = conn.execute(
+        "SELECT * FROM email_accounts WHERE enabled = 1 "
+        "ORDER BY updated_at DESC LIMIT 1"
+    ).fetchone()
+    return _row_to_dict(row) if row else None
+
+
+def set_email_account_enabled(label: str, enabled: bool) -> bool:
+    conn = get_db()
+    cur = conn.execute(
+        "UPDATE email_accounts SET enabled = ?, updated_at = datetime('now') "
+        "WHERE label = ?",
+        (1 if enabled else 0, label),
+    )
+    conn.commit()
+    return cur.rowcount > 0
+
+
+def remove_email_account(label: str) -> bool:
+    conn = get_db()
+    cur = conn.execute("DELETE FROM email_accounts WHERE label = ?", (label,))
+    conn.commit()
+    return cur.rowcount > 0
+
+
+__all__ = [
+    "add_email_account",
+    "list_email_accounts",
+    "get_email_account",
+    "get_primary_email_account",
+    "set_email_account_enabled",
+    "remove_email_account",
+    "DEFAULT_IMAP_PORT",
+    "DEFAULT_SMTP_PORT",
+    "VALID_ROLES",
+]

package/src/db/_schema.py

@@ -1083,6 +1083,55 @@ def _m43_session_claude_aliases(conn):
     )
 
 
+def _m46_email_accounts(conn):
+    """Plan Consolidado F1 — first-class multi-account email config.
+
+    Replaces the legacy ~/.nexo/nexo-email/config.json (single tenant,
+    password in cleartext, Francisco-hardcoded) with a structured table.
+
+    Columns:
+      - id: internal primary key.
+      - label: operator-friendly name ('primary', 'wazion', 'canari').
+      - email: address the account sends from.
+      - imap_host, imap_port: inbound server.
+      - smtp_host, smtp_port: outbound server.
+      - credential_service, credential_key: reference into the
+        `credentials` table (never store the password in this row).
+      - operator_email: where the briefing / digest is sent when this
+        account runs the morning agent.
+      - trusted_domains: JSON array of domains the inbox treats as
+        priority (not hard filter).
+      - role: 'inbox' (monitor only), 'outbox' (send only), 'both'.
+      - enabled: on/off without having to delete the row.
+      - created_at / updated_at.
+
+    Idempotent.
+    """
+    conn.execute(
+        """
+        CREATE TABLE IF NOT EXISTS email_accounts (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            label TEXT NOT NULL UNIQUE,
+            email TEXT NOT NULL,
+            imap_host TEXT NOT NULL DEFAULT '',
+            imap_port INTEGER NOT NULL DEFAULT 993,
+            smtp_host TEXT NOT NULL DEFAULT '',
+            smtp_port INTEGER NOT NULL DEFAULT 465,
+            credential_service TEXT NOT NULL DEFAULT '',
+            credential_key TEXT NOT NULL DEFAULT '',
+            operator_email TEXT NOT NULL DEFAULT '',
+            trusted_domains TEXT NOT NULL DEFAULT '[]',
+            role TEXT NOT NULL DEFAULT 'both',
+            enabled INTEGER NOT NULL DEFAULT 1,
+            metadata TEXT NOT NULL DEFAULT '{}',
+            created_at TEXT DEFAULT (datetime('now')),
+            updated_at TEXT DEFAULT (datetime('now'))
+        )
+        """
+    )
+    _migrate_add_index(conn, "idx_email_accounts_enabled", "email_accounts", "enabled")
+
+
 def _m45_personal_scripts_origin(conn):
     """Plan Consolidado F0.1 — mark whether a personal_scripts row is
     installed by NEXO Core (origin='core'), contributed by the operator
@@ -1164,6 +1213,7 @@ MIGRATIONS = [
     (43, "session_claude_aliases", _m43_session_claude_aliases),
     (44, "entities_extended_schema", _m44_entities_extended_schema),
     (45, "personal_scripts_origin", _m45_personal_scripts_origin),
+    (46, "email_accounts", _m46_email_accounts),
 ]
 
 

package/src/email_config.py

@@ -0,0 +1,143 @@
+"""Plan Consolidado F1 — single loader for scripts that used to read
+~/.nexo/nexo-email/config.json directly.
+
+The loader prefers the `email_accounts` table. When the table is empty
+(fresh install that hasn't run `nexo email setup` yet) it falls back
+to the legacy JSON for backwards compatibility — no crons stall while
+Francisco migrates.
+
+Usage from any script:
+
+    from email_config import load_email_config
+    cfg = load_email_config()  # returns dict with the shape the legacy
+                               # config.json used to have
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+from pathlib import Path
+from typing import Any
+
+_logger = logging.getLogger(__name__)
+
+NEXO_HOME = Path(os.environ.get("NEXO_HOME") or (Path.home() / ".nexo"))
+LEGACY_CONFIG_PATH = NEXO_HOME / "nexo-email" / "config.json"
+
+
+def _get_credential(service: str, key: str) -> str:
+    """Fetch a password from the credentials table. Returns empty string
+    on any miss so the caller can log-and-skip instead of crashing a cron.
+    """
+    if not service or not key:
+        return ""
+    try:
+        from db._core import get_db
+    except Exception:  # pragma: no cover
+        return ""
+    try:
+        conn = get_db()
+        row = conn.execute(
+            "SELECT value FROM credentials WHERE service = ? AND key = ?",
+            (service, key),
+        ).fetchone()
+        if row is None:
+            return ""
+        return str(row[0] or "")
+    except Exception as exc:  # pragma: no cover
+        _logger.warning("credential lookup failed for %s/%s: %s", service, key, exc)
+        return ""
+
+
+def _account_to_legacy_shape(account: dict, extra_operator_emails: list[str]) -> dict:
+    """Project an email_accounts row onto the dict the legacy code expects."""
+    password = _get_credential(
+        account.get("credential_service", ""),
+        account.get("credential_key", ""),
+    )
+    return {
+        "imap_host": account.get("imap_host", ""),
+        "imap_port": int(account.get("imap_port") or 993),
+        "smtp_host": account.get("smtp_host", ""),
+        "smtp_port": int(account.get("smtp_port") or 465),
+        "email": account.get("email", ""),
+        "password": password,
+        "operator_email": account.get("operator_email", ""),
+        "francisco_emails": list(extra_operator_emails or []),
+        "trusted_domains": list(account.get("trusted_domains") or []),
+        "sender_policy": account.get("metadata", {}).get("sender_policy", "open"),
+        "check_interval_seconds": account.get("metadata", {}).get("check_interval_seconds", 60),
+        "max_retries": account.get("metadata", {}).get("max_retries", 3),
+        "retry_backoff_seconds": account.get("metadata", {}).get("retry_backoff_seconds", 60),
+        "claude_binary": account.get("metadata", {}).get("claude_binary", ""),
+        "working_dir": account.get("metadata", {}).get("working_dir", str(Path.home())),
+        "automation_task_profile": account.get("metadata", {}).get("automation_task_profile", "deep"),
+        "max_process_time": account.get("metadata", {}).get("max_process_time"),
+        "label": account.get("label", ""),
+        "role": account.get("role", "both"),
+        "_source": "email_accounts",
+    }
+
+
+def _load_legacy_json() -> dict | None:
+    """Read ~/.nexo/nexo-email/config.json if it exists."""
+    if not LEGACY_CONFIG_PATH.exists():
+        return None
+    try:
+        data = json.loads(LEGACY_CONFIG_PATH.read_text())
+    except Exception as exc:
+        _logger.warning("legacy email config unparseable: %s", exc)
+        return None
+    if not isinstance(data, dict):
+        return None
+    data["_source"] = "legacy-config-json"
+    return data
+
+
+def load_email_config(label: str | None = None) -> dict | None:
+    """Return the email config for a given label (or the primary account).
+
+    Preference order:
+      1. email_accounts table (via label or get_primary_email_account).
+      2. ~/.nexo/nexo-email/config.json legacy file.
+      3. None if neither is available.
+    """
+    account: dict | None = None
+    try:
+        from db._email_accounts import get_email_account, get_primary_email_account
+        if label:
+            account = get_email_account(label)
+        else:
+            account = get_primary_email_account()
+    except Exception as exc:
+        _logger.warning("email_accounts lookup failed: %s", exc)
+
+    if account:
+        extra: list[str] = []
+        try:
+            from db._core import get_db
+            conn = get_db()
+            rows = conn.execute(
+                "SELECT email FROM email_accounts WHERE role IN ('inbox','both') AND enabled = 1"
+            ).fetchall()
+            extra = [r[0] for r in rows if r[0]]
+        except Exception:
+            pass
+        # F1 — also surface metadata.operator_aliases (the legacy
+        # `francisco_emails` list) so personal aliases keep treated as
+        # "operator's own messages".
+        aliases = (account.get("metadata") or {}).get("operator_aliases") or []
+        for a in aliases:
+            if a and a not in extra:
+                extra.append(a)
+        return _account_to_legacy_shape(account, extra)
+
+    return _load_legacy_json()
+
+
+__all__ = [
+    "load_email_config",
+    "LEGACY_CONFIG_PATH",
+]

package/src/presets/entities_local.sample.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://nexo-brain.com/schemas/entities-preset-v1.json",
+  "version": "1.0.0",
+  "description": "Operator-specific entity overrides. Copy to ~/.nexo/brain/presets/entities_local.json and edit with YOUR domains, hosts, IPs, tenants. This file is .gitignored — never committed to the public package. The installer merges local entries on top of entities_universal.json at `nexo init` and during `nexo update`.",
+  "source": "local",
+  "confidence": 1.0,
+  "entities": [
+    {
+      "type": "vhost_mapping",
+      "name": "example_main_site",
+      "metadata": {
+        "domain": "example.com",
+        "host": "ssh-alias-for-your-host",
+        "docroot": "/home/user/public_html",
+        "note": "Replace with your real production site. Host must match ~/.ssh/config alias."
+      }
+    },
+    {
+      "type": "host",
+      "name": "example-host-alias",
+      "aliases": ["example-ssh-nickname"],
+      "metadata": {
+        "ip": "203.0.113.1",
+        "provider": "your-cloud-provider",
+        "access_mode": "read_write",
+        "note": "Replace with your real hosts. NEXO reads ~/.ssh/config automatically so you usually don't need to list hosts here."
+      }
+    }
+  ]
+}

package/src/presets/entities_universal.json

@@ -154,7 +154,6 @@
       "type": "artifact_class",
       "name": "email_to_operator_contact",
       "aliases": [
-        "email_to_maria",
         "operator_email",
         "client_message"
       ],
@@ -162,23 +161,10 @@
         "tool": "nexo_email_send",
         "required_from": "info@<operator-domain>",
         "when": "reply / outreach to an operator's external contact (client, vendor, counterparty)",
-        "anti_example": "sending from nexo@systeam.es on behalf of Maria's CanaRirural shop",
+        "anti_example": "sending from the NEXO default mailbox on behalf of an operator's external tenant",
         "reference_learning": "feedback_no_email_followup_completados"
       }
     },
-    {
-      "type": "artifact_class",
-      "name": "shopify_banner_block",
-      "aliases": [
-        "banner",
-        "promo_strip"
-      ],
-      "metadata": {
-        "platform": "shopify",
-        "constraints": "max-width container with visible borders — NEVER a hero full-width bleed",
-        "reference_learning": "feedback_shopify_banner_not_hero"
-      }
-    },
     {
       "type": "artifact_class",
       "name": "changelog_entry",
@@ -191,81 +177,18 @@
         "reference_script": "scripts/verify_release_readiness.py"
       }
     },
-    {
-      "type": "vhost_mapping",
-      "name": "systeam_es",
-      "metadata": {
-        "domain": "systeam.es",
-        "host": "vicshop",
-        "docroot": "/home/vicshopsysteam/public_html",
-        "note": "Francisco advisory web"
-      }
-    },
-    {
-      "type": "vhost_mapping",
-      "name": "wazion_com",
-      "metadata": {
-        "domain": "wazion.com",
-        "host": "wazion-gcp",
-        "docroot": "/var/www/wazion.com/public_html"
-      }
-    },
-    {
-      "type": "vhost_mapping",
-      "name": "recambios_bmw",
-      "metadata": {
-        "domain": "recambios-bmw.es",
-        "host": "mundiserver",
-        "docroot": "/home/vicshop/public_html"
-      }
-    },
-    {
-      "type": "vhost_mapping",
-      "name": "allinoneapp",
-      "metadata": {
-        "domain": "allinoneapp.com",
-        "host": "mundiserver",
-        "docroot": "/home/vicshop/allinoneapp"
-      }
-    },
-    {
-      "type": "vhost_mapping",
-      "name": "bulksend",
-      "metadata": {
-        "domain": "bulksend.app",
-        "host": "mundiserver",
-        "docroot": "/home/vicshop/bulksend"
-      }
-    },
     {
       "type": "vhost_mapping",
       "name": "nexo_brain",
       "metadata": {
         "domain": "nexo-brain.com",
         "host": "github-pages",
-        "docroot": "public/"
-      }
-    },
-    {
-      "type": "vhost_mapping",
-      "name": "canarirural",
-      "metadata": {
-        "domain": "canarirural.com",
-        "host": "mundiserver",
-        "docroot": "/home/canariru/public_html",
-        "note": "Shop ID 14 servidor 45.148.1.111, Maria tenant"
-      }
-    },
-    {
-      "type": "vhost_mapping",
-      "name": "vic_shop",
-      "metadata": {
-        "domain": "vicshop.com",
-        "host": "vicshop",
-        "docroot": "/home/vicshopsysteam/vicshop"
+        "docroot": "public/",
+        "note": "Public product site. Safe to ship in the universal preset."
       }
     }
   ],
+  "local_overrides_note": "Operator-specific vhost_mapping entries (private domains, IPs, hostnames, tenant names) live in ~/.nexo/brain/presets/entities_local.json — copy from src/presets/entities_local.sample.json. The installer merges local entries on top of this universal preset at `nexo init`. Never commit operator data to entities_universal.json — v6.3.0 accidentally shipped seven such entries and was patched in v6.3.1.",
   "ssh_config_import": {
     "enabled_default": true,
     "source": "~/.ssh/config",

package/src/r23b_deploy_vhost.py

@@ -4,8 +4,8 @@ Pure decision module. Part of Fase D2 (hard bloqueante).
 
 Triggers when an scp/rsync command writes to a remote path that maps to
 a known vhost_mapping entity, and the surrounding context references a
-different domain. The classic incident: pushing systeam.es assets to
-the vicshop docroot because the mental-model-cached entity was wrong.
+different domain. The classic incident: pushing site-A assets to
+site-B's docroot because the mental-model-cached entity was wrong.
 """
 from __future__ import annotations
 

package/src/scripts/nexo-email-migrate-config.py

@@ -0,0 +1,145 @@
+#!/usr/bin/env python3
+# nexo: name=nexo-email-migrate-config
+# nexo: description=One-shot migrator: copy ~/.nexo/nexo-email/config.json into the email_accounts table (F1).
+# nexo: category=automation
+# nexo: runtime=python
+# nexo: timeout=30
+# nexo: idempotent=true
+
+"""Plan Consolidado F1 — one-shot migration.
+
+Reads ~/.nexo/nexo-email/config.json (v6.3.x legacy single-tenant file)
+and inserts it into the `email_accounts` table under label 'primary'.
+Password lands in the `credentials` table under service='email'/key='primary'.
+
+Idempotent: if a 'primary' row already exists, we skip (no overwrite).
+Callers can re-run with --force to overwrite.
+
+Runs automatically from auto_update.py the first time the operator
+updates to v6.4.0 or later. Can also be invoked manually.
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import sys
+import time
+from pathlib import Path
+
+
+NEXO_HOME = Path(os.environ.get("NEXO_HOME") or (Path.home() / ".nexo"))
+CODE_ROOT = Path(os.environ.get("NEXO_CODE") or (Path(__file__).resolve().parents[1]))
+if str(CODE_ROOT) not in sys.path:
+    sys.path.insert(0, str(CODE_ROOT))
+
+LEGACY_PATH = NEXO_HOME / "nexo-email" / "config.json"
+
+
+def _load_legacy() -> dict | None:
+    if not LEGACY_PATH.exists():
+        return None
+    try:
+        return json.loads(LEGACY_PATH.read_text())
+    except Exception as exc:
+        print(f"✗ legacy config unparseable: {exc}", file=sys.stderr)
+        return None
+
+
+def main(argv: list[str]) -> int:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--force", action="store_true")
+    parser.add_argument("--label", default="primary")
+    parser.add_argument("--dry-run", action="store_true")
+    args = parser.parse_args(argv)
+
+    legacy = _load_legacy()
+    if legacy is None:
+        print(f"(nada que migrar — {LEGACY_PATH} no existe)")
+        return 0
+
+    from db import init_db
+    from db._email_accounts import add_email_account, get_email_account
+
+    init_db()
+
+    existing = get_email_account(args.label)
+    if existing and not args.force:
+        print(
+            f"(cuenta '{args.label}' ya existe — email={existing.get('email')}, "
+            f"sin cambios). Usa --force para sobrescribir."
+        )
+        return 0
+
+    email = legacy.get("email", "")
+    password = legacy.get("password", "")
+    imap_host = legacy.get("imap_host", "")
+    imap_port = int(legacy.get("imap_port") or 993)
+    smtp_host = legacy.get("smtp_host", imap_host)
+    smtp_port = int(legacy.get("smtp_port") or 465)
+    operator_email = legacy.get("operator_email", "")
+    trusted = legacy.get("trusted_domains", []) or []
+    francisco = legacy.get("francisco_emails", []) or []
+
+    metadata = {
+        "sender_policy": legacy.get("sender_policy", "open"),
+        "check_interval_seconds": legacy.get("check_interval_seconds", 60),
+        "max_retries": legacy.get("max_retries", 3),
+        "retry_backoff_seconds": legacy.get("retry_backoff_seconds", 60),
+        "claude_binary": legacy.get("claude_binary", ""),
+        "working_dir": legacy.get("working_dir", str(Path.home())),
+        "automation_task_profile": legacy.get("automation_task_profile", "deep"),
+        "max_process_time": legacy.get("max_process_time"),
+        "operator_aliases": francisco,
+    }
+
+    cred_service = "email"
+    cred_key = args.label
+
+    if args.dry_run:
+        print(f"[dry-run] add_email_account(label={args.label}, email={email}, "
+              f"imap={imap_host}:{imap_port}, smtp={smtp_host}:{smtp_port}, "
+              f"role=both, operator={operator_email}, trusted={trusted})")
+        print(f"[dry-run] credentials[{cred_service}/{cred_key}] = <password>")
+        return 0
+
+    # Store credential
+    from db._core import get_db
+    conn = get_db()
+    now = time.time()
+    conn.execute(
+        """
+        INSERT INTO credentials (service, key, value, notes, created_at, updated_at)
+        VALUES (?, ?, ?, 'migrated from ~/.nexo/nexo-email/config.json (F1)', ?, ?)
+        ON CONFLICT(service, key) DO UPDATE SET
+            value = excluded.value, updated_at = excluded.updated_at
+        """,
+        (cred_service, cred_key, password, now, now),
+    )
+    conn.commit()
+
+    account = add_email_account(
+        label=args.label,
+        email=email,
+        imap_host=imap_host,
+        imap_port=imap_port,
+        smtp_host=smtp_host,
+        smtp_port=smtp_port,
+        credential_service=cred_service,
+        credential_key=cred_key,
+        operator_email=operator_email,
+        trusted_domains=trusted,
+        role="both",
+        metadata=metadata,
+    )
+
+    print(f"✓ Cuenta '{args.label}' migrada ({account.get('email')}).")
+    print(f"  Password guardada en credentials[{cred_service}/{cred_key}].")
+    print(f"  Metadata: operator_aliases={len(francisco)}, trusted_domains={len(trusted)}.")
+    print(f"  Legacy JSON intacto en {LEGACY_PATH} (borrarlo tras verificar con `nexo email test {args.label}`).")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))